Researchers Uncover Bankbot-ynrk And Deliveryrat Android Trojans...
Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices.
According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it's being executed on a real device.
BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that's used on devices made by the Chinese original equipment manufacturer (OEM).
"The malware also includes logic to identify specific devices," CYFIRMA said. "It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or supported models. This allows the malware to apply device-specific functionality or optimizations only on targeted devices while avoiding execution on unrecognized models."
The names of the APK packages distributing the malware are listed below. All three apps go by the name "IdentitasKependudukanDigital.apk," which likely appears to be an attempt to impersonate a legitimate Indonesian government app called "Identitas Kependudukan Digital."
Once installed, the malicious apps are designed to harvest device information and set the volume of various audio streams, such as music, ringtone, and notifications, to zero to prevent the affected victim from being alerted to incoming calls, messages, and other in-app notifications.
It also establishes communication with a remote server ("ping.ynrkone[.]top"), and upon receiving the "OPEN_ACCESSIBILITY" command, it urges the user to enable accessibility services so as to realize its goals, including gaining elevated privileges and performing malicious actions.
The malware, however, is capable of targeting only Android devices running versions 13 and below, as Android 14, launched in late 2023, introduced a new security feature that prevents the use of accessibility services to automatically request or grant app additional permissions.
"Until Android 13, apps could bypass permission requests through accessibility features; however, with Android 14, this behavior is no longer possible, and users must grant permissions directly through the system interface," CYFIRMA
Source: The Hacker News
